Increased network security requirements have driven computer network providers and users to require network security measures, such as implementation of one or more firewalls on a network, that provide data security. A firewall enhances security using various methods, including, among other things, packet filtering.
Packet filtering allows a network to control the flow of Internet Protocol (IP) packets to and from a server. IP packet filters are a set of rules that include specific match criteria, e.g. source address, source port, destination address, destination port, etc. Packet filters also include an action to perform on traffic that match one or more of the match criteria, e.g. pass, block, etc.
Dynamic packet filtering is supported by some firewalls. With dynamic packet filtering, ports open automatically only as required for communications and ports close when the communication ends. This approach minimizes the number of exposed ports, in either direction, and provides a high level of network security.
For stateful inspection, a the source and destination of the traffic indicated in the IP header, and the port in the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) header are inspected to identify the network service or application used.
Dynamic packet filters enable opening a port only in response to a user's request and only for the duration required to satisfy that request, reducing the vulnerability associated with open ports. Some advanced firewalls determine which packets can be transferred from TCP and UDP connections transparently to the socket level of the firewall (server). Using this technology, the firewall can capture connections between two hosts, inspect and possibly modify the information transmitted by way of the connection.
One limitation of this technology is that it only operates in one direction. In other words, a port opened for communication with a host on a network only communicates with that particular host. To communicate with another host, a new port is opened with the other host. Communications between the hosts must utilize both ports in the firewall.
FIG. 1a depicts a simplified prior art network diagram 100 having a Host A 102, a firewall 104 and a Host B 106. When Host A 102 transmits a packet to Host B 106, the packet it initially transmitted to a first socket in the firewall 104 (Firewall(1) 108). The connection shown from Host A 102 to Firewall(1) 108 indicates a source of Host A 102 with a destination of Host B 106. The packet is inspected at the firewall 104. The firewall 104 then transmits the packet to Host B 106 from a second socket in the firewall 104 (Firewall(2) 110). For this connection, the packet indicates a source of Firewall(2) 110 and a destination of Host B 106. Packet transmission from Host B 106 to Host A 102 is similar to, but reversed from, the previous description.
One problem that results is that Host B 106 cannot determine the original source of the packet to be Host A 102. Host B 106 can only access the address of the firewall 104 (Firewall(2) 110).